Humans are Dead

I admninister a small group of computers at work. Because it's quite far from where I live, I decided that it's time for VNC. Here's the deal: 4 computers, including 3 Windows XP and one running Ubuntu. Every computer has two users: one unprivileged and an administrator accout, exept the Linux box, which has Ubuntu's "root-les" policy. Every unit logs in to the user account automatically. All computers connect to the Internet through a gigabit router with dynamic IP.

Here's what we will do:

1. Download and install application
2. Configure password and the first test
3. Set up DDNS
4. Assign static IP addresses
5. Configure incoming port on VNC servers
6. Create firewall exceptions
7. Set up port forwarding
8. Celebrate

Let's start with the PCs running Windows. From and Administrator account, download TightVNC (http://www.tightvnc.com/download.htm) and run the setup all the computers. Choose to install it as a service and to start it right away.

Now, it could be very helpful if you have say two computers near each other. Go to PC 1 and edit your settings using "Programs > TightVNC > Administration > Show Default Settings"

Enter passwords for you and for the voyeur. Click "Apply" and go to page "Administration".

Now uncheck the box "Enable build-in HTTP server" as we will use the client instead. Click "OK" and move to PC 2 to do the same thing.

OK, let's test it out. From the command prompt type "ipconfig" and hit enter to get the IP address of PC 2. Write it down and go to PC 1. A quote from Wikipedia:

Fire up the TightVNC Viewer. Enter the previously collected IP address followed by ":5900" indicating the TCP port number, like this:

Now two things could happen: 1. a password prompt or 2. a dialog box telling you the there is no password set. If you have no. 2, note that "TightVNC > Documentation > Installation and Getting Started" has the following magic lines:

Go to PC 2, look up these entries in regedit and delete the keys "Password" and "PasswordViewOnly" and set the passwords again with "TightVNC > Administration > Show Default Settings". You can set the same values for "TightVNC > Show User Settings", just to be shure.

Celebrate the victory by changing the Desktop background remotely. Next, make these settings on all of the machines and test it out. Notice that you can only access the account you first logged in to. We're going to address this issue later on.

Ok, you have working VNC connections all over the LAN, it's time to configure it to work through the router. We have a dynamic ip, but luckily the router support DDNS updates. Go to http://www.dyndns.com/ and set up a free account and choose a domain. If you don't know your WAN IP address, go to http://whatismyip.com/ to find it out. You now have a proper internet name for the human kind. It's time to get rid of the router's default username/password. Change it.

The next issue is how to make a VNC connection to a specific computer. First, you have to know where to look for given machine. Access your router's admin panel and find out the DHCP assign range. It's mostly between 100-200 if the router is at 1, or 1-100 if the router is at 254. Count all the computers, and assign them numbers from 1 to 6 (or less) in your head. Go to the first computer and change it's IP address to static, assigning an address NOT INCLUDED in the DCHP assing range. If you have a DHCP range of, say, 100-200, name it 192.168.1.11 and the next one 192.168.1.12, etc. Go through all your computers. You may not want to disable DHCP on the router, as it comes quite handy when you have wireless and people over with laptops. It works also for the computers you don't want to install VNC on.

Now let's set up the client softwares to accept connection on a specific port. Open up "TightVNC > Administration > Show Default Settings" and under "Display or port number to use" check "Display" and enter 1 for the first computer. You now have Display 1 assigned to Computer 1, at IP address 192.168.1.11. It's easy. Again, go through all your machines, assign Display 2 to Computer 2, with IP address 192.168.1.12, etc. Display and port are practically synonims, as display 0 stands for port 5900, display 1 stands for port 5901, and so on.

To get around the Windows Firewall, go to "Control Panel > Security Center > Windows Firewall", make sure that "Don't allow exceptions" is NOT checked, go to the "Advanced" tab and right to "Local Area Connection" under "Network Connection Settings" click "Settings...". Under the "Services" tab, click "Add...". Enter "VNC" as "Description of service", the computer's name or IP in the next field as host and TCP port 5901 for both internal and external. Add this exception on the other machines. Again for computer 2, enter port 5902, and so on. Without the firewall exception, after the first connection the port will be blocked. So you'd have good first run and an successive failures after that.

(Why allow the first connection and THEN close the port? It's surely not really secure, but it could be a psychological burden for the newbie hacker. Also, if later you have trouble connecting through the DDNS address, but successful with local IP addresses, go to http://www.gotomyvnc.com/ to test your WAN IP for incoming port exceptions. If you see port 5901 closed that you tried first, but port 5900 that you never touched open, your safest bet it's a missing Windows Firewall exception.)

We now have machines with static IP addresses, firewall exceptions and client software listening to the correct port. Let's set up the router to forward the requested port to the intended computer. If you have troubles with port forwarding, refer to http://portforward.com/ on how to forward a port on your router. Start with Computer 1, by entering it's IP address and intended TCP port for the remote connection. It should be port range 5901-5901 for IP address 192.168.2.11 or similar. On with the next computer, the new entry will be port range 5902-5902 for IP address 192.168.2.12, etc. VNC uses TCP connections, selection port type "TCP" should be enough. If later you have troubles with your connections maybe you can try to set this value to "Both".

Fire up the TightVNC client and test it. If everything's OK, you can celebrate with a massive remote desktop background change torrent over your network. Congratulations, you've made it!

For the Linux box, go to http://www.ubuntu-unleashed.com/2007/10/setup-vnc-server-for-ubuntu-gutsy.html and follow the easy 4-step guide. To make it run at startup, go to "Administration > Sessions", click "Add" under the "Startup Programs" tab and enter "x11vnc -forever -usepw -httpdir /usr/share/vnc-java/ -httpport 5800" into the field "Command:". If you didn't already, set up a static IP address. Go to "Administration > Network", unlock the panel, select "Wired connection" and click on "Properties". Now click to unckeck "Enable roaming mode" and change configuration to "Static IP address". This will be computer 0, so the IP address should look something like: 192.168.1.10. You can access it through port 5900 with TightVNC Viewer.

Note the you can address a remote computer with a display number and port also. Instead of "yourname.dyndns.com:5901", you could type "yourname.dyndns.com:1" to connect to computer 1.

IMPORTANT NOTE: the IP addresses listed here are for demonstration purphoses! Your settings may vary depending on the hardware and configuration. Also you can forward any port to any IP, listening to any port (in theory).